C++ Difference between SaferCPlusPlus and Clang/LLVM Sanitizers

C++ Difference between SaferCPlusPlus and Clang/LLVM Sanitizers

SaferCPlusPlus vs Clang/LLVM Sanitizers

The Clang/LLVM compiler provides a set of “sanitizers” (adopted by GCC) that address C/C++ “code safety” issues. While they address many of the same bugs, the solutions provided by the SaferCPlusPlus library and the Clang/LLVM sanitizers differ in significant ways. Namely (as of Sep 2016):

  • The Clang/LLVM sanitizers require modifications to the build process, not the code, whereas with SaferCPlusPlus it’s the other way around.
  • SaferCPlusPlus can more completely solve the problem of invalid memory access, but in doing so does not support certain potentially dangerous language features (like pointer arithmetic).
  • When encountering an invalid memory operation at run-time, the Clang/LLVM sanitizers terminate the executable, where SaferCPlusPlus, by default, throws a (catchable) exception but supports any user-defined action, including program termination.
  • SaferCPlusPlus is portable C++ code that works on any platform, whereas Clang/LLVM sanitizers are available/maintained on a finite (but at the moment, ample) set of OS-architecture combinations.
  • The Clang/LLVM sanitizers cost more in terms of run-time performance. ~2x slowdown for the AddressSanitizer, for example. SaferCPlusPlus generally has substantially lower performance costs, mainly because the Clang/LLVM sanitizers cannot assume any cooperation from the source code, so they have to instrument pretty much every allocated piece of memory and check pretty well every pointer dereference.
  • SaferCPlusPlus supports the mixing of “safe” and (high-performance) “unsafe” code at a granular level, where Clang/LLVM Sanitizers apply to entire modules, or as in the case of the MemorySanitizer, all modules, requiring recompilation of any linked libraries.
  • Clang’s ThreadSanitizer tries to detect data race bugs, while SaferCPlusPlus provides data types that eliminate the possibility of data race bugs (and a superset we call “object race” bugs).

Clang/LLVM Sanitizers are intended for debugging purposes, not to be used in deployed executables. As such, by design, some of their debugging convenience features themselves introduce opportunities for malicious exploitation. SaferCPlusPlus on the other hand is designed to be used in deployed executables, as well as for debugging and testing. And that’s reflected in its performance, security and “completeness of solution”.

But SaferCPlusPlus and the Clang/LLVM Sanitizers are not incompatible, and there’s no reason you couldn’t use both simultaneously, although there would be significant redundancies.